Module 4: Securing the Web Server

1

Overview

• Securing IIS

• Securing Apache

2

3

Securing IIS

Securing IIS Servers

• Installation

• Authentication

• Permissions and Authorization

• Web Applications

• Protect the Metabase

• Monitoring and Logging

• Utilities

• Miscellaneous

• Web sites, products, training

Installation

• Only install necessary components

• Do not have server connected to Ethernet during the installation

• Apply all service packs and hot fixes

• Remove printer and file support

• Disable unnecessary services and subsystems

• Delete sample files

• Delete or move sample scripts

• Remove Internet Explorer

• Security Templates

• Remove any resource kits or SDKs that were installed

• Secure dangerous executables

Authentication

• Anonymous access

• Use of SSL

Permissions & Authorization

• NTFS permissions for website content volumes

• Set initial NTFS permissions settings on the root of the volume

• Administrators : Full control (Apply onto: This folder, sub folders, and files)

• System: Full control (Apply onto: This folder, subfolder sand files)

• Check the box on the Permissions tab to “Reset permissions on all child objects and enable propagation of inheritable permissions”

Best Practices for Website Folders

• Physical folder structure

• /root – starting point of the website

- Home page

• /scr – stores scripts

-Don’t call it “scripts” as this is a tip -off for hackers

• /exe – executables

-Don’t call it “bin” or “cgi-bin” as this is a tip-off for hackers; may not even want to call it “exe”

• images – graphics

-Reduces clutter in other folders and can be removed from logging

ISAPI Filters vs. ISAPI Extensions

• Filters are DLLs which register “hooks” with IIS so that they will be invoked when certain internal IIS events occur.

• Event triggers pass control of a request or response to an ISAPI filter DLL (Example: SSL encryptions)

• Extensions are DLLs or programs which are associated with files of a certain filename extensions so that when a browser makes a request to such a file, the program is automatically executed.

• Typically script engines or command interpreters

lISAPI Filters

• Four default filters

• SSPIFILT.DLL – implements SSL encryption for all websites using HTTPS

• COMPFILT.DLL – implements HTTP compressions of requested files using GZIP and DEFLATE protocols

• MD5FILT.DLL – used with Digest authentication

• FPEXEDLL.DLL – provides compatibility with FrontPage

Protect the Metabase

• The “metabase” is IIS’s configuration database (like the system registry)

• Location is determined by a registry value which can be modified (not recommended unless you’re paranoid!)

• Hive: HKEY_LOCAL_MACHINE

• Key: \Software\Microsoft\InetMgr\Parameters

• Value Name: MetadataFile

• Value Type: REG_SZ

• Value Data: <drive letter, path, and filename of the metabase>

• Move the HTTP/FTP root folders off the %systemroot% volume

• Secure the registry key which determines the metabaselocation

• Audit all failed access to the metabasefile

• Set NTFS permissions on the metabasefile to the following:

Administrators: Full Control

System: Full Control

Monitoring and Logging

• Use performance monitor

• Log monitor output to a data file

• Determine an appropriate period of time for monitoring activity

• Get a baseline set of statistics

What to Monitor?

Active Server Pages

• Errors/Sec

• Request Not Authorized

Disk

• Logical Disk\% of Free Space]

IP

• Datagrams Received Header Errors

• Datagrams Received Unknown Protocol

• Fragment Re-Assembly Failures

Event Viewer Logs

• NTFS File Access Audit

• Audit all the different types of failed access for the entire file system

• Audit successful actions for Everyone for:

-Create Files / Write Data

-Create Folder / Append Data

-Delete Subfolders and Files

-Delete

-Change Permissions

-Take Ownership

IIS Protocol Logging

• Enable logging at the website

• Disable logging for each folder/file you don’t want to log

• Set the location for the log files

• Secure the log files using NTFS permissions

Utilities

• Resource Kit

• METAEDIT.EXE – IIS configuration tool

• PLAYBACK.EXE –Records incoming traffic on an IIS 5.0 server then allows it to be played back on another server

• Stress test utility

• IIS Permissions Wizard Template Maker

Miscellaneous

• Throttling IIS

-Limit connections

-Set connection timeouts

• Administration Website (HTMLA)

-Secure the site with SSL, authentication, IP address restrictions

Unused Services

• Follow a defense-in-depth approach to securing SQL Server

• Apply service packs and patches

-Use MBSA to detect missing SQL updates

• Disable unused services

-MSSQLSERVER

-SQLSERVERAGENT

-MSSQLServerADHelper

-Microsoft Search

-Microsoft DTC

Top 10 Actions to Secure IIS

• Harden the operating system and apply all relevant security updates

• Remove unnecessary components

• Configure URLScan

• Place content on a separate NTFS partition

• Protect files by using minimal permissions

• Require encryption for sensitive Web traffic

• Do not enable both the Execute and Write permissions on the same Web site

• Run applications using Medium or High application protection

• Use LPA for App Pool Account

• Use IPSec filtering to allow only required traffic (HTTP and HTTPS) to the Web server

Demonstration : Securing IIS 6.0

Unused Services

The IIS Lockdown Tools provides the option to disable unused IIS-related services; however, you should manually disable other unused services

The following services must be running for IIS to run properly :

•Event Log

•License Logging Service

•Windows NTLM Security Support Provider

•Remote Procedure Call (RPC) Service

•Windows NT Server or Windows NT Workstation

•IIS Admin Service

•MSDTC

•World Wide Web Publishing Service

•Protected Storage

31

Securing Apache

Secure the Operating System

• Offer no network services except HTTP (80/tcp) and HTTPS (443/tcp) to the Internet

• Access to and from the Internet controlled by a firewall

• Apache web server must be the only service running on the machine

• Only necessary Apache modules to be loaded

• Diagnostic web pages and automatic directory listings turned off

32

Minimize the amount of security disclosure

• Run the Apache process under a unique UID

• Limit the Apache process by chrooting/sandboxing

• Ensure no shell programs are in the chroot environment

33

Build Apache with only the modules required:

• Http_core

• Mod_access

• Mod_auth

• Mod_dir

• Mod_log_config

• Mod_mime

Do not install: mod_autoindex and mod_info Compiled statically, which also removes the need for mod_so

34

10 things you should do to secure Apache

• Update

• Use the right user:group

• Turn off unwanted services

• Disable unused modules

• Restrict access

• Limit request size

• Employ mod_security

• Do not allow browsing outside the document root

• Hide Apache’s version number

• Immunize httpd.conf

Unused Services

• Directory browsing-This is done within a directory tag (the document root is a good place to start) using the Options directive and is set with “-Indexing”.

• Server side Includes-This is another feature that is disabled within a directory tag (using Options directive) and is set with “-Includes”.

• CGI execution-Unless your site needs CGI, turn this off. This feature is also set within a directory tag using the Options directive, with “-ExecCGI”.

• Symbolic links-Set this inside a (surprise, surprise) directory tag with “-FollowSymLinks”.

• None-You can turn off all options (in the same way you set the above) using “None” with the Option directive.

Patching

A "Patch" is the set of differences between two versions of the same file. A patch comprises one or more "diff" files. These diffs are produced by the program of the same name: diff.

Steps to manually apply the FrontPage Apache patch to a new Apache server

• Before compiling and installing the Apache patch, you must install the FrontPage Server Extensions. When the setup script untars the FrontPage Server Extensions, it also untars the FrontPage Apache patch source file Fp-patch-apache_1.3.x. If you run Fp_install.sh, let it untar the Fp40.platform.tar.Z without installing a root Web or sub/per user Webs, or virtual Webs.

• Copy the Fp-patch-apache_1.3.x into your Apache server build directory (usually /usr/local/Apache_1.3.x). The Fp-patch-apache_1.3.x file is found in/usr/local/frontpage/version4.0/apache-fp/fp-patch-apache_1.3.x.

• Using the GNU version of the patch utility, run the patch command on the FrontPage 2000 Apache patch source file: patch -p0 <fp-patch-apache_1.3.x

• Create the makefile for the patched server. For a server that uses 1.3.0 or later directory structure: ./configure --add-module=mod_frontpage.c

• For a server that uses 1.2.x, directory structure: ./configure --add-module=mod_frontpage.c --compat

Steps to manually apply the FrontPage Apache patch to a new Apache server

• You can append --prefix=/usr/local/apache to get your install directories the way you want them. For instance, for a install directory of /usr/local/apache: ./configure --add-module=mod_frontpage.c --prefix=/usr/local/apache

• Build the Apache server: make

• Install the server: make Install

• After installing the server, you will need to run the Change_server.sh. This file was untarred when you ran the Fp_install.sh script. The Change_server.sh resides in /usr/local/frontpage/version4.0. When you run the Change_server.sh, you will be prompted whether or not to replace the httpd daemon.

• You can install the Server Extensions using Fp_install making sure when prompted to install to Apache-fp when asked which server you are using.

Apache and MySQL configurations, patching services and cluster

43